jamcole/setup-router.yml

## setup-router.yml
- name: Configure OpenShift Router
  hosts: bastion
  gather_facts: no
  any_errors_fatal: yes
  roles:
  - oc_host
  - ocp_login_master
  tasks:
  # Configure router
  - name: Pause router rollout
    delegate_to: "{{ oc_host }}"
    tags:
    - router
    - router_pause
    shell: "oc -n default rollout pause dc router"
    run_once: yes
    ignore_errors: true
    failed_when: false
  # enable router extended logging
  - name: Configure router logging
    run_once: yes
    tags:
    - router
    - router_logging
    delegate_to: "{{ oc_host }}"
    block:
    - name: Get current router image
      shell: "oc -n default get dc router -o jsonpath='{.spec.template.spec.containers[].image}'"
      register: router_image
    - name: Reconfigure router to use extended logging
      shell: "oc -n default adm router --dry-run -o yaml --extended-logging --replicas=3 --images='{{ router_image.stdout }}' router | oc -n default apply -f -"
    - name: Set router loglevel
      shell: "oc -n default set env dc/router --overwrite ROUTER_LOG_LEVEL=info"
  # disable tls 1.0
  # https://access.redhat.com/solutions/3606201
  # https://docs.openshift.com/container-platform/3.11/install_config/router/customized_haproxy_router.html
  - name: Configure custom router settings
    run_once: yes
    tags:
    - router
    - router_custom
    delegate_to: "{{ oc_host }}"
    block:
    - name: Create tempdir for current router config template
      tempfile:
        path: /tmp
        state: directory
      register: router_tempfile
    - name: Get first router pod
      shell: "oc -n default get pods -o name -l router=router|head -n 1|sed -E 's~[^/]*/?~~'"
      register: router_pod
    - name: Export current config template
      shell: "oc -n default exec {{ router_pod.stdout }} /usr/bin/cat /var/lib/haproxy/conf/haproxy-config.template"
      register: router_template
    - name: Create updated template file
      copy:
        content: "{{ router_template.stdout }}"
        dest: "{{ router_tempfile.path }}/haproxy-config.template"
    - name: Update template file for TLS settings
      tags:
      - router_tls
      lineinfile:
        path: "{{ router_tempfile.path }}/haproxy-config.template"
        regexp: '^ *ssl-default-bind-options .*'
        line: "ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11"
    - name: Update template file for capture header settings
      tags:
      - router_capture
      lineinfile:
        path: "{{ router_tempfile.path }}/haproxy-config.template"
        insertafter: "^frontend {{ item }}$"
        line: "  capture request header X-Forwarded-For len 63"
        regexp: "NEVER MATCHING REGEX"
      with_items:
      - public
      - public_ssl
      - fe_sni
      - fe_no_sni
    - name: Create / Update configmap from tempfile
      shell: "oc -n default create configmap  --dry-run haproxy-config --from-file=haproxy-config.template={{ router_tempfile.path }}/haproxy-config.template --save-config -o yaml | oc -n default apply -f -"
    - name: Add configmap to router as template
      shell: "oc -n default set volume dc/router --add --name=haproxy-custom --type=configmap --configmap-name=haproxy-config --mount-path=/var/lib/haproxy/conf/custom/ --overwrite"
    - name: Set router to use new template file configmap
      shell: "oc -n default set env dc/router --overwrite TEMPLATE_FILE=/var/lib/haproxy/conf/custom/haproxy-config.template"
    always:
    - file:
        path: "{{ item }}"
        state: absent
      with_items:
        - router_tempfile.path
  # https://docs.openshift.com/container-platform/3.11/architecture/networking/routes.html#ciphers
  - name: Set router to use 'modern' cipher suite
    delegate_to: "{{ oc_host }}"
    tags:
    - router_tls
    shell: "oc -n default set env dc/router --overwrite ROUTER_CIPHERS=modern"
  - name: Resume router rollout
    delegate_to: "{{ oc_host }}"
    tags:
    - router
    - router_rollout
    shell: "oc -n default rollout resume dc router"
    run_once: yes
    ignore_errors: yes
    failed_when: false
  - name: Wait for router rollout to complete
    delegate_to: "{{ oc_host }}"
    tags:
    - router
    - router_rollout
    shell: "oc -n default rollout status -w dc router"
    changed_when: false
    run_once: yes
	- name: Configure OpenShift Router
	hosts: bastion
	gather_facts: no
	any_errors_fatal: yes
	roles:
	- oc_host
	- ocp_login_master
	tasks:
	# Configure router
	- name: Pause router rollout
	delegate_to: "{{ oc_host }}"
	tags:
	- router
	- router_pause
	shell: "oc -n default rollout pause dc router"
	run_once: yes
	ignore_errors: true
	failed_when: false
	# enable router extended logging
	- name: Configure router logging
	run_once: yes
	tags:
	- router
	- router_logging
	delegate_to: "{{ oc_host }}"
	block:
	- name: Get current router image
	shell: "oc -n default get dc router -o jsonpath='{.spec.template.spec.containers[].image}'"
	register: router_image
	- name: Reconfigure router to use extended logging
	shell: "oc -n default adm router --dry-run -o yaml --extended-logging --replicas=3 --images='{{ router_image.stdout }}' router \| oc -n default apply -f -"
	- name: Set router loglevel
	shell: "oc -n default set env dc/router --overwrite ROUTER_LOG_LEVEL=info"
	# disable tls 1.0
	# https://access.redhat.com/solutions/3606201
	# https://docs.openshift.com/container-platform/3.11/install_config/router/customized_haproxy_router.html
	- name: Configure custom router settings
	run_once: yes
	tags:
	- router
	- router_custom
	delegate_to: "{{ oc_host }}"
	block:
	- name: Create tempdir for current router config template
	tempfile:
	path: /tmp
	state: directory
	register: router_tempfile
	- name: Get first router pod
	shell: "oc -n default get pods -o name -l router=router\|head -n 1\|sed -E 's~[^/]*/?~~'"
	register: router_pod
	- name: Export current config template
	shell: "oc -n default exec {{ router_pod.stdout }} /usr/bin/cat /var/lib/haproxy/conf/haproxy-config.template"
	register: router_template
	- name: Create updated template file
	copy:
	content: "{{ router_template.stdout }}"
	dest: "{{ router_tempfile.path }}/haproxy-config.template"
	- name: Update template file for TLS settings
	tags:
	- router_tls
	lineinfile:
	path: "{{ router_tempfile.path }}/haproxy-config.template"
	regexp: '^ ssl-default-bind-options .'
	line: "ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11"
	- name: Update template file for capture header settings
	tags:
	- router_capture
	lineinfile:
	path: "{{ router_tempfile.path }}/haproxy-config.template"
	insertafter: "^frontend {{ item }}$"
	line: " capture request header X-Forwarded-For len 63"
	regexp: "NEVER MATCHING REGEX"
	with_items:
	- public
	- public_ssl
	- fe_sni
	- fe_no_sni
	- name: Create / Update configmap from tempfile
	shell: "oc -n default create configmap --dry-run haproxy-config --from-file=haproxy-config.template={{ router_tempfile.path }}/haproxy-config.template --save-config -o yaml \| oc -n default apply -f -"
	- name: Add configmap to router as template
	shell: "oc -n default set volume dc/router --add --name=haproxy-custom --type=configmap --configmap-name=haproxy-config --mount-path=/var/lib/haproxy/conf/custom/ --overwrite"
	- name: Set router to use new template file configmap
	shell: "oc -n default set env dc/router --overwrite TEMPLATE_FILE=/var/lib/haproxy/conf/custom/haproxy-config.template"
	always:
	- file:
	path: "{{ item }}"
	state: absent
	with_items:
	- router_tempfile.path
	# https://docs.openshift.com/container-platform/3.11/architecture/networking/routes.html#ciphers
	- name: Set router to use 'modern' cipher suite
	delegate_to: "{{ oc_host }}"
	tags:
	- router_tls
	shell: "oc -n default set env dc/router --overwrite ROUTER_CIPHERS=modern"
	- name: Resume router rollout
	delegate_to: "{{ oc_host }}"
	tags:
	- router
	- router_rollout
	shell: "oc -n default rollout resume dc router"
	run_once: yes
	ignore_errors: yes
	failed_when: false
	- name: Wait for router rollout to complete
	delegate_to: "{{ oc_host }}"
	tags:
	- router
	- router_rollout
	shell: "oc -n default rollout status -w dc router"
	changed_when: false
	run_once: yes